Sunday, November 08, 2009

Irish law on hacking tools / dual-use software

In my last post I mentioned the iPhone dessid app which generates WEP keys from the SSIDs of Eircom routers - making life easier for individuals who wish to piggyback on the wifi of others.

What are the legal issues associated with using or providing this app? Unsurprisingly media coverage of the software has reported that unauthorised access to wifi may constitute a criminal offence, something Eoin O'Dell has previously teased out in a series of posts (1|2|3).

A more difficult question however - and one which hasn't yet been considered - is whether simply providing the app might itself constitute a criminal offence.

So called hacking tools have been specifically criminalised in some jurisdictions. In the UK for example section 37 of the Police and Justice Act 2006 (which was eventually brought into force in October 2008) amended the Computer Misuse Act 1990 to create a new offence of making, supplying or obtaining articles for use in computer misuse offences - an offence which would be committed where a person supplies a program "intending it to be used" or "believing that it is likely to be used" in an unauthorised access offence.

That offence is wide enough to capture dual-use tools - programs such as this one which have legitimate as well as criminal uses - and consequently the Crown Prosecution Service has issued guidelines to prosecutors in relation to when prosecutions should be brought, looking at factors such as whether software is "available on a wide scale commercial basis and sold through legitimate channels", is "widely used for legitimate purposes", is "circulated to a closed and vetted list of IT security professionals or [is] posted openly" or has been "developed primarily, deliberately and for the sole purpose of committing" an offence.

Unsatisfactory though the UK law and guidance might be (a point made by, amongst others, Richard Clayton) it does at least attempt to legislate specifically for computer crime. Irish law on the other hand has no offence specifically tailored for this situation, leaving us to wonder whether new situations might be forced within the confines of old offences. I wrote about this point recently for Reich (ed.), Cybercrime and Security, and here's a short excerpt:

While Irish law does not specifically deal with these matters, it may be possible to prosecute in individual cases using section 4 of the Criminal Damage Act 1991. That section provides:

“A person (in this section referred to as the possessor) who has any thing in his custody or under his control intending without lawful excuse to use it or cause or permit another to use it— (a) to damage any property belonging to some other person … shall be guilty of an offence.”

Bearing in mind that the definition of property under the 1991 Act includes data, this section would seem to be wide enough to criminalise possession of e.g. a virus or Trojan horse where accompanied by an intention to damage property. It should, however, be noted that this section does not criminalise creation, possession, sale or distribution per se – in every case it must be shown that the defendant had an intention to use the item to damage property. This appears to create two related problems for prosecutors. From an evidential point of view it is likely that they will face a difficulty in demonstrating that an accused person had the necessary intention. Moreover, the intention which must be shown is an intention to damage property – a mere intention to carry out an unauthorised access would not suffice. If, for example, A were found to be in possession of a username and password belonging to B, this would not be an offence under section 4 if A’s intention was merely to view B’s data.

Applying this analysis to the dessid app, it seems to me unlikely that distributing this or similar software would be an offence under section 4. First, that section requires an intention to cause or permit a person to use it to commit an offence. Mere foresight that an offence might be committed would not seem to be enough. Secondly, section 4 applies only to things to be used for the purpose of criminal damage - so that distribution of software for some other illegal purpose (such as unauthorised access) would not fall within its remit. (A further obstacle might lie in the narrow wording of section 4 - is software a "thing" within the meaning of that section?)